Cisco Patches 4 'Critical' Mobile Security Flaws

Cisco Systems says it has patched four "critical" security flaws that could potentially allow attackers to wreak havoc with wireless accounts.

The flaws could allow unauthenticated access to Cisco's Policy Suite, typically used by large mobile carriers, the San Jose, Calif., company said in a series of security advisories issued Wednesday. Left unpatched, the vulnerabilities could allow attackers to take information, compromise wireless account information, and make changes to data and files, according to the advisories.

Free patches have been issued for Cisco Policy Suite's Policy Builder and OSGi interfaces; Policy Builder Database and Policy Builder Cluster Manager.

Related: Cisco Issuing Patch To Squish 'High Impact' VoIP Phone Bug

"It's always disappointing to see a security advisory that comes out and shows an opportunity for unauthenticated access to critical systems, but this has become a reality in today's world," said Lane Irvine, director of network business solutions and security at Long View Systems, a Toronto-based solution provider that works with Cisco. "This highlights the importance of layered security, monitoring and isolation to protect critical systems, even inside a customer environment."

Gary Berzack, CTO and COO at eTribeca, a New York City-based solution provider that works with Cisco, also underlined the importance of layered security as vendors like Cisco seek to consolidate solutions.

"There is some underlying code there that seems to be used in more than one platform," Berzack said. "If it is, we could see in the future a family of suites being compromised. It's one of the challenges you have with consolidating products, one device can affect others."

"Security identifications make me feel good, but updates are always a challenge," Berzack said. "Do you have to do it in off hours? Does it only affect this one item? How much testing have they done? Sometimes you can't tell whether this is real, or just good standard operating procedure."

Cisco's Product Security Incident Response Team said in a statement to CRN that customers can do an "in-service migration" that may allow traffic to continue running during the migration. "Cisco recommends customers assess the risk of any vulnerability and apply related patches through the lens of their own operational model for managing security updates," the company said.

The Policy Suite patches come less than two weeks after Cisco issued a patch for a "high-risk" vulnerability in several VoIP phone models.

That bug, found by Cisco during internal security testing, had potential to allow attackers "to perform a command injection and execute commands with the privileges of the web server, essentially leaving an opening for attackers to make and listen to calls and steal data.